DreamFactory’s Azure AD connector makes it easy to use an Azure Active Directory tenant for API authentication. By using Azure AD Application Roles it is also possible to assign Users and Groups to DreamFactory roles from the Azure Portal. In this example, we will show how to quickly configure DreamFactory with the proper metadata from Microsoft Azure Active Directory (Azure AD).
Azure AD is built on top of the OAuth2 protocol which defines several methods of authentication that ultimately end with users obtaining an access token for authenticating against a given resource.
In this workflow, users will be redirected from the DreamFactory application to their Microsoft Azure login screen. There, individuals will be prompted to enter an email and password before gaining access to the application resource. Let’s begin by creating a new application within the Azure Active Directory.
Did you know you can generate a full-featured, documented, and secure REST API in minutes using DreamFactory? Sign up for our free 14 day hosted trial to learn how! Our guided tour will show you how to create an API using an example MySQL database provided to you as part of the trial!
To configure OAuth 2.0 authentication using the client credentials grant type, you need to register both the web service and the client applications in Azure Active Directory. To learn how to do this, see the Microsoft documentation.
A client application is an application that requests a protected resource. After you register it in Azure Active Directory, you need to perform the following steps to apply the client credentials grant type:
Copy the Application (client) ID to someplace. You will need it to link the client to the web service and to configure the request authentication:
After completing the application provisioning within Azure AD, you can now complete the configuration with DreamFactory. Using the metadata from your Azure AD instance as a reference, proceed with setting up the Azure Active Directory OAuth connector by clicking on the DreamFactory Services tab, navigating to the OAuth service type, and then selecting the Azure Active Directory OAuth connector.
Client Secret – String. Required. A private string is used by the service to authenticate the identity of the application.
Redirect URL – String. Required. The location the user will be redirected to after a successful login.
Icon Class – String. Optional. The icon to display for this OAuth service.
Tenant ID -- String. Required. Found in the overview section of the Azure Application
Resource -- String. Required. Enter https://graph.windows.net/
In the above screenshot, we identified the redirect URL as https://demo.dreamfactory/oauth.php. This is a live script that will dump the contents of the DreamFactory JWT. Here is the oauth.php code (download the code from https://gist.github.com/wjgilmore/011f11455b62f35bfefbcfb0b7d8d143). You can use this script as an example to confirm your connector is properly configured because if login is successful this script will dump the session token to the browser window.
01 <?php
02
03 $qs = $_SERVER['QUERY_STRING'];
04
05 $domain = 'https://demo.dreamfactory.com/';
06
07 # Create a connection
08 $url = $domain . '/api/v2/user/session?oauth_callback=true&'
09 . $qs;
10 $ch = curl_init($url);
11
12 # Setting our options
13 curl_setopt($ch, CURLOPT_POST, 1);
14 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
15
16 # Get the response
17 $response = curl_exec($ch);
18 curl_close($ch);
19
20 var_dump(json_decode($response));Let’s review this code:
Of course, in a real-world situation, you wouldn’t dump the JWT. Instead, you would parse the response object and pass the session_token value back using the X-DreamFactory-Session-Token header. DreamFactory will check the validity of the token and if it has expired will disallow the request.
Now you should be finished! Log in to your instance and test it out. If you have any comments or concerns about our code or the steps to reproduce it, feel free to reach out to us at code AT dreamfactory.com with your thoughts!